Phishing Attacks Cost Millions Despite Low Success Rate

New research from Trusteer shows that while the majority of phishing attacks are unsuccessful, those that slip past security defenses are costing millions of dollars. With nearly half of those who click on links to phishing sites giving up their personal information, here are some tips on what you need to do to protect your enterprise.

Ever wonder what percentage of people are clicking on those e-mails leading to fraudulent bank log-in pages? The answer is a very small percentage-but more than enough for phishers to still make a killing.

New research from security firm (PDF) Trusteer shows that once users had been lured to a phishing site, some 45 percent entered their log-in information. These findings, taken during a three-month analysis, are based on a sample of more than 3 million users of Trusteer's Rapport browser security service who are customers of 10 large U.S. and European banks.

Each phishing attack compromises a very small number of customers (0.000564 percent), but due to the large number of phishing attacks, the aggregated number is significant. Overall, 0.47 percent of the banks' customers fall victim to phishing attacks each year, translating to between $2.4 million and $9.4 million in annual losses per million online banking customers.

With that kind of money at stake, it is important that both businesses and consumers learn to recognize phishing e-mails when they see them. In an enterprise environment, that process begins with training.

"Engage the user base when developing a training program [and] view training programs as marketing campaigns to sell security," advised Rohyt Belani, CEO of Intrepidus. "Teach people through first-hand experience [mock phishing exercises followed with instant training/feedback] rather than boring sessions and poster campaigns that couch dos and don'ts."

He also suggested rewarding users who consistently dodge phishing attacks, rather than simply penalizing those who do not.

"People should have a basic level of suspicion associated with e-mail and understand that just because the 'from' address looks authentic, the e-mail contains a personalized salutation and the content is in appropriate context that it is not necessarily where or whom it claims to be from," he told eWEEK. "This will instill a thorough process of evaluation before acting on e-mail."

However, phishing scams are getting more difficult to detect, particularly in cases of spear phishing, which are targeted attacks, noted Scott Crawford, an analyst with Enterprise Management Associates.

"Message filtration technologies help with this, but as far as awareness goes, users should consider just about any message suspect unless it contains detail that would only be known to the sender [and] recipient-and even then, a skillfully crafted attack can look very believable," he said.